Search This Blog

Showing posts with label Google Play Store. Show all posts

Joker Virus is Back, Targeting Android Devices

 

The notorious Joker has made a comeback, according to Belgian police, who cautioned about the Joker Virus that only targets Android smartphones and lurks in numerous apps available on the Google marketplace known as Play Store. 

The Joker malware is among the most tenacious and annoying viruses for Android, and it is even capable of infecting people through the use of the Google Play Store since it is disguised within defenseless apps. This Joker software can completely deplete victims' bank account of all funds. The 'Joker' Trojan infection is part of the Bread malware family, whose primary goal is to hijack cell phone bills and allow activities without the user's knowledge. 

As per experts at cybersecurity firm Quick Heal Security Lab, the Joker virus could access user smartphone's text messages, contact information, and a variety of other data, enabling it to enroll in websites providing premium services. Due to this users face the danger of receiving a large bill from their bank or credit card at the end of the month. 

"This malicious program has been detected in eight Play Store applications that Google has suppressed," stated the Belgian authorities in a statement published on Friday 20th August on their website. 

The 'Joker' malware made headlines in 2017 for attacking and stealing data from its victims while masquerading in several applications. Since that day, Google Play Store defense systems have deleted approximately 1,700 apps containing the 'Joker' malware before they could be installed by users. The 'Joker' virus was discovered in 24 Android applications in September 2020, with over 500 thousand downloads before even being deactivated. It is suspected that more than 30 countries were impacted at the time, along with the United States, Brazil, and Spain. Hackers might take up to $7 (approximately 140 Mexican pesos) per subscription weekly via illicit memberships, an amount that has most certainly escalated in recent months. 

According to La Razón, the cybersecurity firm Zscaler has publicly revealed the names of 16 other apps that, according to its investigation, also include this dangerous code: Private SMS, Hummingbird PDF Converter - Photo to PDF, Style Photo Collage, Talent Photo Editor - Blur focus, Paper Doc Scanner, All Good PDF Scanner, Care Message, Part Message, Blue Scanner, Direct Messenger, One Sentence Translator - Multifunctional Translator, Mint Leaf Message-Your Private Message, Unique Keyboard - Fancy Fonts & Free Emoticons, Tangram App Lock, Desire Translate and Meticulous Scanner. 

Initially, apps infected with 'Joker' or another Malware from any of this family committed SMS fraud but soon began to target electronic payments. These two strategies make use of telephone operators' interaction with suppliers to permit service payment via the mobile bill. Both necessitate device authentication but not human verification, allowing them to automate transactions without requiring any user participation. 

In addition, it is typical for all those impacted by 'Joker' to be unaware of the theft unless they thoroughly study their bank statements. It's because the bank does not detect an evidently 'regular' membership and, in general, the charges are so little that they are not noticed as odd movements, therefore the account holder does not even send a traffic notification. 

Furthermore, the malicious applications that the Google Play Store removed upon discovering that they carried the 'Joker' virus are as follows: Auxiliary Message, Element Scanner, Fast Magic SMS, Free Cam Scanner, Go Messages, Super Message, Super SMS, and Travel Wallpapers.

Google Play is Infested with Fake Crypto Mining Apps

 

Google has deleted eight bogus mobile apps from the Play Store that pretend to be bitcoin cloud-mining apps but are actually designed to trick users into paying for pricey subscription services and engaging in other unlawful acts. Although they may have been removed, Trend Micro researchers discovered that when searching Google Play for the keywords "cloud mining," several problematic applications of the same sort remain. 

“Cloud mining introduces both convenience and cybersecurity risks. Because of the simplicity and agility of cloud computing, it is quick and easy to set up a realistic-looking crypto mining service that is really a scam,” said Ioannis Gasparis, a mobile application security researcher at Lookout, in a report released in July. 

These phoney Android apps target those who want to make money online by persuading them to invest in a cloud-mining company. All eight recently removed apps were found to be infected with one of two malwares: FakeMinerPay and FakeMinerAd. 

“These apps were able to fly under the radar because they don’t actually do anything malicious,” said Ioannis Gasparis. “They are simply shells set up to attract users caught up in the cryptocurrency craze and collect money for services that don’t exist. Purchasing goods or services online always requires a certain degree of trust — these scams prove that cryptocurrency is no exception.”

According to Cifer Fang, a researcher at Trend Micro, these malicious apps merely fool victims into watching adverts, make them pay for subscription services with an average monthly charge of $15, and also encourage them to pay for greater mining capabilities without getting anything in return. 

According to Trend Micro's findings, the apps don't actually mine anything; instead, "fake mining activity on the apps' user interface (UI) is carried out via a local mining simulation module that comprises a counter and certain random operations."

“The app called Daily Bitcoin Rewards – Cloud Based Mining System prompts its users to upgrade their crypto-mining capacity by ‘buying’ their favorite mining machines to earn more coins at a faster rate,” Fang noted. 

Two of the phoney crypto mining apps (Bitcoin [BTC] – Pool Mining Cloud Wallet and Bitcoin 2021), according to Trend Micro's analysis, bombarded their users with adverts with the primary purpose of enticing victims to click.

Google Plans to Ban 'Sugar Dating' Apps From September

 

Google is all set to remove ‘Super Dating' applications from the Play Store in order to make the Android app download market a safer place. From September 1, Sugar Dating" apps will no longer be available on play store, according to the company. 

Google is targeting applications that promote financial indemnity in relationships as there is a slew of “Sugar Daddy” type dating apps available. Google's "inappropriate content policy" has been modified and additional limits will be imposed on sexual content, especially forbidding compensated sexual relationships,” (i.e., sugar dating).  

A relationship in which a male provides money or possessions to someone younger than him in exchange for favors is referred to as a "Sugar Daddy" relationship. Previously, this didn't appear to be an issue for Google, but many platforms are rapidly attempting to establish an atmosphere that is more in touch with today's awareness culture. 

But, considering that certain traditional dating apps and social networks are also utilized for paid relationships, the question is how big of an impact it will have on them. Eventually, this update is primarily intended to safeguard young people from privacy and safety concerns while using applications. 

Google is taking these steps at a time when Trump's Fosta-Sesta law from 2018 is being increasingly utilized to target sites that encourage prostitution and online sex work. This legislation makes it simpler to penalize websites that aid in sex trafficking. Operators of sites that allow sex workers to communicate with clients, for example, may face a 25-year jail sentence. 

Although the law has been hardly ever enforced to date and could serve as a barrier, as per 2020 report by a group of sex workers called Hacking/Hustling mentioned that the law has had a "detrimental effect on online workers' economic stability, safety, access to the community, and clinical outcomes," as pressure on online platforms results in the elimination of tools such workers use to stay safe. 

Google's update also seeks to enhance children's safety, particularly their privacy. Advertisers will no longer be able to get advertising IDs from a child-oriented application. These IDs are basically surfing data that advertisers use to tailor their ad campaigns to effectively reach their target market and improve sales. Google, like other digital powerhouses, appears to be moving in the direction of effectively safeguarding young people on platforms and other networks.  

Furthermore, Google's Store Listing and Promotion policy will be updated on September 29, 2021, to ban spam text and images in app titles, icons, and developer names.

Updated Joker Malware Floods into Android Apps

 

The Joker mobile virus has made its entry back on Google Play with an increase in malicious Android apps that mask the billing fraud software, according to researchers. It's also employing new techniques to get beyond Google's app vetting process. 

Joker has been hiding in the shadows of genuine programs including camera apps, games, messengers, picture editors, translators, and wallpapers since 2017. Once installed, Joker applications discreetly simulate clicks and intercept SMS messages to sign victims up for unwanted, paid premium services controlled by the attackers - a kind of billing fraud known as "fleeceware". 

Malicious Joker applications are widely available outside of the official Google Play store, and they've been escaping Google Play's safeguards since 2019. This is mostly due to the malware developers' constant modification of their attack approach. As a result, periodic waves of Joker infections have occurred within the official store, including two large outbreaks last year. 

Over 1,800 Android applications infected with Joker have been deleted from the Google Play market in the previous four years, according to Zimperium experts. Since September, at least 1,000 new samples have been discovered in the newest wave, with many of them making their way into the legitimate market. 

According to a Zimperium analysis, “Malicious actors have routinely found new and unique ways to get this malware into both official and unofficial app stores. While they are never long for life in these repositories, the persistence highlights how mobile malware, just like traditional endpoint malware, does not disappear but continues to be modified and advanced in a constant cat-and-mouse game.” 

According to Zimperium, the developers of the most recent versions of Joker, which first appeared in late 2020, are using legitimate developer techniques to “try and hide the actual intent of the payload from traditional, legacy-based mobile security toolsets,” which allows them to escape both device-based security and app store protections. 

Flutter, a Google-developed open-source app development kit that allows developers to create native apps for mobile, web, and desktop from a single codebase, is one way they're accomplishing it. The researchers explained, “Due to the commonality of Flutter, even malicious application code will look legitimate and clean, whereas many scanners are looking for disjointed code with errors or improper assemblies”. 

New techniques: 

Another anti-detection method recently implemented by Joker enthusiasts, according to the research, is the habit of embedding the payload as a.DEX file that may be obfuscated in a variety of ways, such as being encrypted with a number or buried inside a picture via steganography. 

According to researchers, the picture is sometimes stored in authorized cloud repositories or on a remote command-and-control (C2) server in the latter scenario. Other new behaviors include hiding C2 addresses with URL shorteners and decrypting an offline payload using a mix of native libraries. 

The new samples also take further steps to remain covert when a trojanized program is loaded, according to researchers. “After successful installation, the application infected with Joker will run a scan using Google Play APIs to check the latest version of the app in Google Play Store,” researchers explained. 

“If there is no answer, the malware remains silent since it can be running on a dynamic analysis emulator. But if the version found in the store is older than the current version, the local malware payload is executed, infecting the mobile device. If the version in the store is newer than the current one, then the C2s are contacted to download an updated version of the payload.” 

Consumers and enterprises alike at risk:

The apps are appearing in a variety of places, including Google Play and unauthorized third-party markets, as well as other legitimate channels, some for the first time. For example, the official app store for Huawei Android, AppGallery, was recently discovered to be infected with the Joker virus. 

According to Doctor Web, the applications were downloaded to over 538,000 smartphones by unsuspecting users in April. 

Saryu Nayyar, CEO at Gurucul, stated in the email, “Sadly, the Joker malware is no joke. And even more depressing, no dark knight is going to ride in to save users from these malicious apps. Users have to manually clean their devices of this pesky malware. The good news is that it appears the only damage is financial and likely temporary. Users who have been subscribed to premium mobile services as a result of this malware can request refunds for said services since the affected applications are known.” 

Earlier this year, Josh Bohls, CEO and founder at Inkscreen, said that Joker is an issue for businesses as well as people. “These malicious applications can find their way into the enterprise when an infected device is enrolled in a company’s bring-your-own-device (BYOD) program, and suddenly you have a new threat vector,” he told via email.

$350,000 Stolen from Users by Fake Cryptocurrency Mining Apps

 

The year 2021 will be remembered as a watershed moment for cryptocurrencies. Despite its ups and downs, Bitcoin is still valued at over $32,000 per coin. Not only Bitcoin, but most other cryptocurrencies have enjoyed significant price increases this year. As a result, there has been a surge of crypto apps, both in app stores and from third-party developers. Many of these apps, however, are scams. Lookout, a security organization, has published a detailed analysis on dangerous crypto-mining apps. 

More than 170 Android apps that claim to provide cryptocurrency mining services for a fee are essentially scams, according to the researchers. 25 of the 170 were hosted on Google Play, and they are attempting to defraud cryptocurrency enthusiasts by proposing cloud-based mining services. 

Cryptocurrency mining is using computing power (from a personal computer or a rented system) to solve computational and cryptographic tasks in exchange for coins. However, the processing power necessary for many types of cryptocurrency is now greater than a single personal computer, allowing individuals to join mining pools and share the effort — and the profits.

Because they didn't appear to be doing anything that would trigger the Play Store's automated policy compliance checks, these apps were able to dodge any and all detection and checks in place for apps listed on the Play Store. In reality, these apps were doing absolutely nothing. Google has since deleted the apps from the Play Store. Bitcoin and Ethereum are among the coins they claim to be mining. These apps cost $12.99 to $259.99, and you could pay with Google Play's saved payment methods or crypto coins like Bitcoin, which you could send directly to the developer's crypto wallet. 

There were even higher-tier membership options that required users to pay more money in exchange for a lower minimum balance requirement and better benefits. The Lookout Threat Lab thinks that these apps, which are available on the Google Play Store and third-party app stores, have defrauded more than 93,000 consumers and stole at least $350,000 in subscription fees and in-app purchases.

“While CloudScam and BitScam apps have now been removed from Google Play, there are dozens more still being circulated in third-party app stores. In total, the operators generated at least $350,000. They stole $300,000 from selling the fake apps and an additional $50,000 in cryptocurrencies from victims paying for fake upgrades and services. Most of the scam apps either have fake information or don’t have any terms available,” say the researchers.

Cloud Cryptomining Scam in Google Play Rakes in Cash

 

Researchers stated that fraudulent crypto mining applications available for download on Google Play have scammed more than 93,400 people so far, taking at least $350,000. 

The applications, which are divided into “BitScam” and “CloudScam” variants, market themselves as delivering bitcoin mining services for a charge, according to Lookout. 

“These apps were able to fly under the radar because they don’t actually do anything malicious,” said Ioannis Gasparis, a mobile application security researcher at Lookout, in an analysis released on Wednesday. 

“They are simply shells set up to attract users caught up in the cryptocurrency craze and collect money for services that don’t exist. Purchasing goods or services online always requires a certain degree of trust — these scams prove that cryptocurrency is no exception.” 

In addition to charging for the “apps,” the fraudsters push extra services and upgrades that users may buy within the apps, either directly by transferring Bitcoin to the creators' wallets (the BitScam version) or through the Google Play in-app billing system (the CloudScam version). On the official Google Play store, there were 25 similar apps, with a total of 170 when third-party app shops are included. Although the crypto mining applications have been deleted from Google Play, there are still hundreds more accessible for side-loading, according to Gasparis. 

He said in the report, “Cloud mining introduces both convenience and cybersecurity risks. Because of the simplicity and agility of cloud computing, it is quick and easy to set up a realistic-looking crypto-mining service that is really a scam. Cybercriminals have set up similar schemes to steal from desktop users, [but this is] the first scam that packages this scheme into mobile apps.” 

Working of mobile, socially engineered cryptomining scams: 

After downloading the app and creating an account, users are presented with an activity dashboard that claims to show the “available hash mining rate.” It also has a counter for the number of coins the victims are supposed to have earned. 

“The hash rate displayed is typically very low to lure the user into buying upgrades that promise faster mining rates,” Gasparis noted. Such “virtual hardware” upgrades can range from $12.99 to $259.99, Lookout found. Other “upgrades” include spendier subscription plans with lower minimum withdrawal balances and higher supposed mining rates. Users also are told they’ll earn “20 percent” of their friend’s earnings if they refer someone to the app, and are offered “daily rewards.” 

In terms of the coin counter, the applications just show a fake balance. The counter progressed only when the app was running in the foreground in some of the applications examined, and it was reset to zero when the mobile device was rebooted or the app was resumed. Some of the totals were limited: After counting to 10 on the CloudScam software "BTC Cash," for example, the counter resets to zero. 

“If cloud mining was actually taking place in either BitScam or CloudScam, we would expect the coin amount displayed to be stored in a secure cloud database and queried via an API,” Gasparis stated. 

Users are also prevented from withdrawing any coins unless they achieve a certain minimum balance in the applications (not that any coins actually exist). Even if such balance is purportedly attained, the applications merely display a notification informing the user that the withdrawal transaction is pending while simultaneously resetting the user's coin balance to zero. The user may receive an error message stating that the balance is inadequate for withdrawal in some situations. 

According to Gasparis, the first samples of these crypto-scam apps were disseminated through third-party app stores in the second half of 2019. He went on to say that it's possible that since then, rival entities have emerged to market their products in this area. 

He added, “My conclusion that CloudScam and BitScam are run by competing groups is based on the fact that each family has completely different codebases. There are a lot of mentions of Android bitcoin miners in general on the Dark Web, though nothing specific to the apps we found.” Gasparis informed Threatpost that he had no idea how to fix the applications, including how to halt subscriptions and reclaim any costs. 

“Purchasing goods or services online always requires a certain degree of trust in the vendor or at least the app store processing the transaction,” Gasparis noted in the report.

“While this is true for any online transaction, it is even more important with respect to financial services such as cryptocurrency investments. The scammers running this scheme were able to tap into the existing frenzy created by the hot cryptocurrency market. But no matter how high cryptocurrency valuations climb, there is no substitute for appropriate due diligence before purchasing a cryptocurrency mining app.” 

Lookout has five suggestions for identifying bitcoin scammers: 

1.Get to know the app's creators. What certifications or credentials do they have, what other applications have they created, do they have a website, and can you contact them? 

2.Install it from a reputable app store. While it's difficult to identify fraud, downloading from an official shop decreases your chances of getting malware. 

3.Take the time to read the terms and conditions. The majority of scam applications contain fictitious information or lack any terms. 

4.Use the app's reviews from other users to your advantage. When it comes to spotting frauds, reading other users' experiences with the app may be eye-opening. 

5. Understand the app's permissions and functions. Examine the app's actions for any red flags. Is the program requesting rights that it doesn't require to function? Is there a sudden crash or reset of the app, a sudden reset of the bitcoin balance, and a sudden reset of the displayed numbers? 

Cryptoming Scam Apps:

The scam apps that were available on Google Play and may still be installed on victims’ phones are:

1. BitScam (18): Top Coins, Mr Bitcoin, Star BTC, Bitcoin Burn, Moon BAT, Bito Holic, Bito Hash,  BitHash, Multi Coins, BitcoinCash Miner, Airdrop, Bright Miner, Pink BTC, XMR Miner, COIN Master, ETHMINER PRO, crypto cloud mining pro and Btc Miner pro.

2. CloudScam (7): Bito Miner, Mining Machine, BTC CLOUD, BTC Cash, Black Crypto, Cloud Mining, and Crypto Pro-Miner.

500,000 Huawei Devices hit by the Joker Malware

 

Security researchers have discovered that over 500,000 Huawei smartphone users who inadvertently subscribe to premium mobile services have downloaded apps contaminated by the Joker malware. For the past couple of years the malware family of Joker has infected apps on Google's Play Store, but it is the first time on Huawei phones. Using the company's in-house platform - App Gallery, Huawei users are not actually able to access the Google Play Store due to business restrictions in the USA. Researchers also discovered in the App Gallery some 10 apparently harmful applications containing malicious command and control server connectivity code for installation and additional components. 

A source noted that “Doctor Web’s virus analysts have uncovered the first malware on App Gallery―the official app store from the Huawei Android device manufacturer. They turned out to be dangerous Android. Joker trojans function primarily to subscribe users to premium mobile services. In total, our specialists discovered that 10 modifications of these trojans have found their way onto App Gallery, with more than 538,000 users having installed them.”

However, the researchers mentioned that the malware might subscribe the user to up to five services, but that restriction could also be changed at any time by the threat actor. Digital keyboards, a camera app, a launcher, an online messenger, an adhesive set, coloring programs, and a game were included in the malicious applications list. Most of the applications were developed by one (Shanxi Kuailaipai Network Technology Co., Ltd.) developer and two from separate developers. More than 538,000 Huawei users have installed these 10 applications, as per the Doctor Web’s reports. 

Doctor Web notified Huawei of these applications and the company detected and removed them from the App Gallery. Although new users cannot download them anymore, whereas if the applications were on the devices of other users then they must be cleaned manually. Upon being enabled, the malware transmits a configuration file to the remote server, including a task list, premium service websites, and JavaScript which imitates user interaction states the researchers. 

The history of Joker malware goes back to 2017 and has consistently made its way through the Google Play store distributed games. In October 2019, Kaspersky Malware Researcher Tatyana Shishkova tweeted over 70 compromise applications that made it official. And the malware reports in Google Play continued to surge. In early 2020, Google announced the removal of some 1,700 Joker-infected applications. Joker remained in the shop last February and even in July of last year he still slips through Google's defenses.

Fake Netflix App Spreads Malware via WhatsApp Messages

 

Researchers have discovered malware camouflaged as a Netflix application, prowling on the Google Play store, spread through WhatsApp messages. As per a Check Point Research analysis released on Wednesday, the malware took on the appearance of an application called "FlixOnline," which publicized by the means of WhatsApp messages promising "2 Months of Netflix Premium Free Anywhere in the World for 60 days." But once installed, the malware begins stealing information and credentials.

The malware was intended to monitor incoming WhatsApp messages and automatically react to any that the victims get, with the content of the response crafted by the adversaries. The reactions attempted to bait others with the proposal of a free Netflix service, and contained links to a phony Netflix site that phished for credentials and credit card information, analysts said. 

“The app turned out to be a fake service that claims to allow users to view Netflix content from around the world on their mobiles,” according to the analysis. “However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor a user’s WhatsApp notifications, sending automatic replies to a user’s incoming messages using content that it receives from a remote server.” Once you install the FlixOnline application from the Play Store, it asks for three sorts of authorizations: screen overlay, battery optimization ignore, and notification. Researchers from Check Point noticed that overlay is utilized by malware to make counterfeit logins and steal client credentials by making counterfeit windows on top of existing applications. 

The malware was additionally able to self-propagate, sending messages to client's WhatsApp contacts and groups with links to the phony application. With that in mind, the computerized messages read, “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE [Bitly link].”

“The malware’s technique is fairly new and innovative,” Aviran Hazum, manager of Mobile Intelligence at Check Point, said in the analysis. “The technique here is to hijack the connection to WhatsApp by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager. The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags.”

Trend Micro Detects Vulnerabilities in The SHAREit Program

 

In the SHAREit program, Trend Micro has found several vulnerabilities. The bugs may be exploited by extracting sensitive data from users, and by using malicious code or programs to run arbitrary code with the ShareIt permissions. It can also contribute to remote execution code (RCE). In the past, the software was often associated with bugs that used to download and abuse users' files. While the app allows for the upload and update of file types like the Android Package (APK), there are most definitely accidentally unconsidered bugs correlated with these functions. 

SHAREit is one of the best-known applications in the Google Play Store. Users can download and distribute files and share them with others using this app. SHAREit was also one of 60 Chinese apps barred late last year in India. Notably, more than one billion times the Android application has been downloaded. 

The vulnerabilities can be used to execute malicious code for the SHAREit program on smartphones. The key cause of safety deficiencies is the lack of appropriate controls on who can access the code of the program.

Echo Duan, a mobile threats analyst for security firm Trend Micro, reported that malicious applications installed on a computer and user or attackers executing a personal network attack can be able to distribute malicious instructions to the SHAREit app and hijack its legal code-execution functionality, override local files on the app, or install applications from third parties without user knowledge.

The app is also susceptible to so-called Man-in-the-Disk Attacks, a form of vulnerability first identified by Check Point in 2018 that focuses on uncertain storage of insecure app assets in the storage capacity of the phone shared with other applications [in which attackers can erase, edit, or substitute them]. 

"We reported these vulnerabilities to the vendor, who has not responded yet," Duan said today. "We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data," he added, it will also be impossible to track attacks from the viewpoint of a defender.

On their website, SHAREit developers say that 1.8 billion people in over 200 countries around the world use their software. The iOS app for SHAREit does not have any influence on it and runs on another codebase. Though the software was last updated in its Play Store list on February 9, 2021, a fix for revealed vulnerabilities has been not listed in the update's changelog. At the time of publication, the software is still usable for download.

For software makers, businesses, and consumers alike, security should be a top priority. Trend Micro suggests that operating devices and applications themselves should be frequently upgraded and modified for secure mobile app use.

Fleeceware Apps Prey on Android Users

 

A fleeceware application isn't customary Android malware as it doesn't contain pernicious code. Rather, the danger comes from unnecessary subscription charges that it may not clearly specify to mobile clients. Fleeceware tricks a victim into downloading an application that intrigues them. At that point, the developer relies on the client overlooking the program as well as neglecting to see the actual subscription charge. These developers target more youthful clients who probably won't focus on the subscription details. The developer fleeces the victim by fooling them into paying cash for something they probably won't need. Chances are, they won't realize they have or they may have gotten somewhere else complimentary or free of charge.

In January 2020, SophosLabs uncovered that it had distinguished more than 20 fleeceware applications hiding out in the Android market place. These applications acquired an aggregate all out of more than 600 million installations. One of those applications charged clients $3,639.48‬ yearly, or $69.99 every week, for showing day by day horoscopes. A couple of months after the fact, Google updated its policies to guarantee that clients comprehended the full price of an application subscription when free trials and introductory offers end and how to deal with their application subscriptions. That didn't prevent a few people from endeavoring to get around Google's policies. In August 2020, Google eliminated some fleeceware applications for neglecting to incorporate a dismiss button and for showing subscription data in small, light font styles. 

Avast reported seven fleeceware applications to Google Play in mid-November. A large portion of these applications professed to offer Minecraft-related skins, maps, and additionally mods for the well-known game. Others offered skins for different games or advertised themes and wallpapers for Android devices. Utilizing those disguises, the entirety of the applications figured out how to pull in excess of 100,000 individuals before Avast found them. Five of them flaunted more than 1,000,000 downloads. 

Associations can help safeguard their clients against fleeceware applications, for example, by utilizing Mobile Device Management (MDM) to restrict the functionality of applications introduced on corporately owned cell phones. They can likewise utilize ongoing security awareness training and incorporate a list of permitted mobile applications and market places that employees can use on their cell phones.

Google Banned 29 Android Apps Containing Adware


A research discovered that almost all the malware are designed to target android users and in order to prevent users from installing adware filled apps built to stealthily access their banking and social media credentials; Google has made a continuous effort including the introduction of ‘Google Play Protect’. The main idea behind Play protect is to keep your device, apps, and data secure by automatically scanning the apps in real-time and identifying any potentially malicious apps. Despite the strength of Google’s machine learning algorithms and constantly improving real-time technology, the operations of Potentially Harmful Applications (PHAs) do not seem to halt any time soon as cybercriminals are devising new methods to evade detection by Play Protect also.

Recently, Google pulled off 29 apps from the Play Store as they were found to be infected with adware, most of these apps were present in the facade of photo editing apps having a feature of ‘blur’, which was also the codename of the investigation called as “CHARTREUSEBLUR”- that unveiled the malicious operations. The apps were discovered as a part of the White Ope’ Satori threat intelligence team. In total, these Android apps had more than 3.5 million downloads.

As per the observations, these malicious apps were promoting irrelevant advertisements which are said to be used to keep away from detection. After the victim installs any of these apps, the icon to launch the app would immediately disappear from the home screen and won’t be found anywhere, making it highly inconvenient for the users to remove the adware laden apps from their devices. Moreover, there was no open function to be found on the Play Store either.

In order to stay on a safer side, the investigation team advised Android users to stay wary of adware filled apps by examining reviews properly before downloading and not to fall for fake 5-star reviews. Apps that seem new and have received a whopping number of downloads in a short period of time should be strictly avoided.

Recently banned 29 Android applications included Color Call Flash, Photo Blur, Photo Blur Master, Super Call Screen, Square Blur Master, Blur Photo Editor, Super Call Flash, Auto Picture Cut, Square Blur Photo, Magic Call Flash amid a few others.

Google Playstore Removes 25 Android Apps that Stole User Login Credentials


In a recent cybersecurity incident, Google cleared 25 applications from its google play store as they were alleged to steal the users' FB credentials. According to Google, these applications were downloaded for around 2..35 million before the play store decided to shut them down. All these 25 applications were created by the same developer, even though they seemed to work differently and offer different features, they were all peas in a pod.


These apps showed themselves as a video editor, photo editor, wallpaper apps, file managing apps, mobile gaming apps, and flashlight apps., says Evina, a France based cybersecurity organization. When the firm came to know about the incident, it reported to Google, and precautionary measures were taken immediately to protect the end-users. The malware was also reverse-engineered so that no damage could take place. The 25 apps had malware embedded in them, which stole FB login credentials whenever the user launched the FB application.

Although the apps worked legally, they, however, had hidden malicious codes. The code could tell about the recently launched app in the user's device. If it were FB, these apps would create a fake login page that looked the same as the original to steal the user's login credentials. If the user entered his login credentials, the app would capture the data and transfer it to a remote server domain. When Google came to know about the issue after Evina's claims in May, it verified it before taking down these apps. Playstore removed these 25 apps earlier this month, some of which had been in use for more than a year.

"When an application is launched on your phone, the malware queries the application name. If it is a Facebook application, the malware will launch a browser that loads Facebook at the same time. The browser is displayed in the foreground, which makes you think that the application launched it. When you enter your credentials into this browser, the malware executes javascript to retrieve them. The malware then sends your account information to a server," said Evina in a blog post.

Is A Cheap Phone Worth The Cost Of Your Privacy?


There is absolutely no room for doubt that Chinese manufacturers offer an excess of affordable gadgets with extraordinary specs to boot, in fact,  Xiaomi would most likely be among the brands that you would consider when searching for a decent deal.

However, a few recent revelations put its privacy practices into question.

Security researchers Gabriel Cirlig and Andrew Tierney while speaking to Forbes guaranteed that Xiaomi's web browsers gather an 'over the top' amount of information even in incognito mode. This purportedly incorporated all URLs and search queries made in the stock MIUI browser, just as Mi Browser Pro and Mint Browser.

When combined, these programs have in excess of 15 million downloads on the Google Play Store. As per Forbes, “The device was also recording what folders had been opened and to which screens the user swiped, including the status bar and the settings page.”

Tierney later following up on Xiaomi's blog post with a Twitter thread defending the primary findings with additional evidence. In a said blog post, the Chinese manufacture guaranteed every single data gathered is anonymized and that its practices are the same as the industry standard.

Notwithstanding, not long subsequent to issuing the statement, Xiaomi pushed an update to its browsers, permitting users to 'toggle off’ data collection in incognito mode.

Xiaomi guarantees that all information it gathers is anonymized, in spite of the fact that this has been questioned by the discoveries of the security researchers.

However, regardless of whether Xiaomi's side is thought about in this contention, there has been proof that some anonymized information can still be traced back to the users. The New York Times proved this with anonymous location data.

While browser data may be a bit harder to link to a user than location data, it could be conceivable depending upon how the information is gathered and stored. In the Xiaomi situation, the expansion of the 'toggle off' option is likewise disappointing on the grounds that this implies the default hasn't changed.

The Chinese company will continue gathering incognito browser data unless users are aware of the 'toggle and explicitly opt-out'.

Given the fact that Xiaomi is the fourth-largest smartphone manufacturer by market share, this implies for the average user that is not in particular 'tech-savvy' as the status quo remains the same.


Rise of a Mobile Banking Malware Which Steals Personal Financial Information



The federal cybersecurity agency cautions about the rise of a new mobile banking malware called "EventBot", which purportedly steal personal financial information and says it might influence Android phone users in India, in a most recent advisory.

The Trojan infection may "masquerade as a legitimate application such as Microsoft Word, Adobe flash and others using third-party application downloading sites to infiltrate into victim device” as per an alert issued by the (CERT-In) Computer Emergency Response Team of India, the national technology arm to combat cyber-attacks and guard the Indian cyberspace.

“It has been observed that a new Android mobile malware named EventBot is spreading. It is a mobile-banking Trojan and info-stealer that abuses Android's in-built accessibility feature to steal user data from financial applications, read user SMS messages and intercept SMS messages, allowing malware to bypass two-factor authentication," said the CERT-In warning.

As indicated by the CERT-In the virus "to a great extent target financial apps like PayPal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, TransferWise, Coinbase, paysafecard and so on"

The agency said while "EventBot" has not been "seen" on Google Playstore till now, it can "masquerade" as a certified mobile phone application.

The virus further prompts the users to offer access to their device accessibility services. The advisory claimed that the virus is equipped for recovering notifications about other installed applications and read the contents of various applications.

Over time, it can also read Lock Screen and in-app PIN that can give the attacker more privileged access over victim device,"

The cybersecurity agency has proposed certain counter-measures to check the virus infection within the Android phones: "Do not download and install applications from untrusted sources like unknown websites and links on unscrupulous messages; install updated anti-virus solution; prior to downloading or installing apps even from Google Playstore), always review the app details, number of downloads, user reviews, comments and the 'additional information' section”

Lastly, it requested that users abstain from utilizing unsecured, unknown Wi-Fi systems, and for prior affirming of a banking/financial application from the source organization.

Attention! Fake Extensions on the Chrome Web Store Again!


Reportedly, Google was in the news about having removed 49 Chrome extensions from its browser’s store for robbing crypto-wallet credentials. What’s more, after that, there surfaced an additional set of password-swiping “extensions” aka “add-ons”, which are up for download even now.

Per sources, the allegedly corrupt add-ons exist on the browser store disguised as authentic crypto-wallet extensions. These absolutely uncertified add-ons invite people to fill in their credentials so as to make siphoning off them easy and the digital money accessible.

Reports mention that the security researchers have affirmative information as to 8 of the 11 fake add-ons impersonating legitimate crypto-wallet software being removed including "Jaxx Ledger, KeyKeep, and MetaMask." A list of “extension identifiers” which was reported to Google was also provided.

Per researchers, there was a lack of vigilance by the Google Web Store because it apparently sanctions phisher-made extensions without giving the issue the attention it demands. Another thing that is disturbing for the researchers is that these extensions had premium ad space and are the first thing a user sees while searching.

According to sources, much like the Google Play Store with malicious apps, the Google Web Store had been facing difficulty in guarding itself against mal-actors. There also hadn’t been much of a response from their team about the issue.

One solution that was most talked about was that Google should at the least put into effect mechanisms in the Chrome Web Store that automatically impose trademark restrictions for the store and the ad platforms in it.

Per sources, Google’s Chrome Web Store “developer agreement” bars developers from violating intellectual property rights and also clearly mentions “Google is not obligated to monitor the products or their content”. Reports mention that as per the ad policy of Google, it could review trademarks complaints from trademarks holders only when it has received a complaint.

Google heeding all the hue and cry about the extensions did herald more restrictions with the motive of wiping away traces of any fake extensions and spammers creating bad quality extensions that were causing people trouble.

The alterations in the policy will block the spammers and developers from swarming the store with similar extensions and elements with questionable behavior. Word has it that because of hateful comments the Chrome Web Store was “locked down” in January.

But, as promising as it may be, allegedly Google has been making such promises about the Chrome Web Store security strengthening for more than half a decade. So no one can blame researchers for their skepticism.

All you need to know about the new threat "Fleeceware" and how to protect yourself!


SophosLabs, a cybersecurity firm has discovered a range of apps on Google Play Store and Apple's iOS App Store whose sole purpose is to charge huge subscriptions and other fees to clients for the features and services they could avail for free.

These apps though tricks the user they however neither steal your data nor do they run any malicious code hence fundamentally they are not malwares. Sophos calls them fleecewear, malicious apps hiding in sheep's clothing. "Because these apps exist in a categorical grey area that isn’t overtly malware, and isn’t a potentially unwanted app (PUA), we’ve coined the term fleeceware, because their defining characteristic is that they overcharge users for functionality that’s widely available in free or low-cost apps." writes Sophos Labs.

They found 25 such Android apps on Google Play store in January and 30 apps on the iOS App Store that could be fleeceware.

 "In our capitalistic society, you can look at fleeceware apps and say if somebody wants to waste $500 per year on a flashlight app that’s up to them," says John Shier, Sophos senior security adviser. "But it’s just the exorbitant price that you’re being charged, and it's not done aboveboard. That, to me, is not ethical." 

You have to be careful while paying for in-app purchases and especially subscription. These apps will offer a trial period but will demand payment the first time you open the app. Or they could ask high payment for simple basic features like photo filter for 9$ per week or 30$ per month.

Fleeceware apps exploit the marketing model of play store and App Store, finding loopholes to charge their skyrocketing prices. But Google is tightening the leash. It announced last week that developers will be required to make details of subscriptions, free trials, and introductory offers more precise and clear by June 16.

 "Part of improving the subscription user experience comes from fostering a trustworthy platform for subscribers; making sure they feel fully informed when they purchase in-app subscriptions," Angela Ying, Google product manager wrote in a blog. 

 How to avoid fleeceware? 

Through some simple steps you can avoid falling into the traps set by this fleeceware:


  1.  Install apps developed by prominent developers. Big companies and their apps offer features like emojis, selfie filters, and QR code scanners for free. 
  2.  If you found something exclusive that the app is providing, it's better to compare prices by doing a quick search. 
  3.  If you think, you're subscriptions are getting a bit out of hand and want to check which apps you have subscribed to and the ones you'd like to cancel - Play Store and iOS App Store both offer the option where you can see all your subscriptions. 


"On iOS, open Settings, tap your name, and then Subscriptions to view and manage everything. Or you can open the App Store, insert your initials in the upper right corner, and tap Subscriptions. On Android, open the Play Store, tap the hamburger menu icon in the upper right, and choose Subscriptions to view and manage your signups."

Google Doubling Down On Efforts to Protect Android Users


With the rise in the in-application subscription scams on Android, Google subsequently announced the introduction of new Play Store policies intended to forestall such scams in the near future.

The American multinational technology additionally pledged to provide Android users with direct assistance in the form of notifications when a trial is going to turn into a paid subscription, or a subscription is going to renew consequently.

The new policies announced that demand application developers offer clear info about the obligations associated with subscription models and free trials, and provide a simple and easy way through which users can cancel subscriptions. These latest policies are a small part of a more extensive Google campaign, aimed especially at ensuring the privacy and security of Android users.

The newly announced policies focus mostly on fleeceware, a form of application that 'manipulates' trial periods and membership models to defraud victims. This kind of application usually burdens the user with complex terms and conditions, further enshrouding unjustifiable subscription commitments.
As a component of the new prerequisites, developers must distinguish with enough clarity between features accessible free of cost and those accessible only to paying subscribers. Thus, Google will convey an admonition to users when a free trial is set to end or when a subscription longer than three months is because of turn over.

The firm will likewise give warnings if a user endeavors to uninstall an application attached to an on-going subscription.

The new policies are said to take effect on June 16, so users should take particular consideration whenever handling of in-application subscriptions on Android in the meantime.

Apart from this, the company took the initiative to remind developers that its new assessment procedure will produce results in August, which will require developers to gain approval from Google before requesting location data from the end-user.

Further Play Store 'tweaks' are likewise in the pipeline, which will reportedly address issues related to illusive content and applications.

100 Million Android Users Warned Against Using this "Very Dangerous" VPN App


Millions of Android users are being cautioned against using a popular Android VPN that was removed by Google from its Play store. The action was taken by Google after Researchers found vulnerabilities in 'SuperVPN' that could leave devices open to malware attacks and allow attackers to redirect victims onto malicious servers.

As of now, the app has around 100 million downloads, however, in the year 2016 when the risks associated with the app surfaced for the first time ever in related research, it only had a total of 10,000 downloads.

While testing, security researchers identified three main issues with the app:

1. Unencrypted HTTP traffic: The communications can be intercepted by the attackers, it has been said that transferring highly sensitive information over HTTP is not secure at all.

2. Hardcoded encryption keys: The app has inbuilt decryption keys that can easily decrypt the information in an encrypted format.

3. Payload including EAP credentials: EAP credentials are being used by the VPNs therefore users outside the app can not connect to the same server. Hence, EAP credentials sent in the unencrypted payload in a way defeats the purpose.

Notably, SuperVPN was also listed as one of the top 5 VPN in Google Play Store's search results before it was taken down by the authorities. As per the findings by researchers, it contained vulnerabilities that allowed attackers to carry out man-in-the-middle attacks, also known as MITM attacks. It could expose communication that took place between the user and provider letting hackers have access to everything the user is doing online, be it browsing tabs in Chrome, making video calls or loading up apps – all of that sensitive data including passwords, private texts, and voice messages is being made available to the attackers.

Other occasions where SuperVPN drew negative remarks include the app being ranked third by the Australian researchers in an examination of the most malware-rigged VPN apps. The researchers pointed out that the app had been posing risks since it appeared on the Play Store.

While explaining more about the issues, Jan Youngren, Security Researcher at VPNPro told, "SuperVPN used a wide range of shady techniques to help it rank highly in Google, as well as to hide who actually owns the app, where it’s located, and the other apps from the same developer that may have similar issues."

"But lastly, and most importantly, it seems that the entire time the app was on the Play store, it had critical vulnerabilities in one way or another, either by being a vehicle for malware in 2016 or allowing for MITM attacks just before being removed."

"The only thing unclear now is whether these vulnerabilities are due to mistake, or intention. Nonetheless, there are millions of users right now with a dangerous app on their phone. If you’re one of those users, we implore you to delete SuperVPN immediately." He further added.

Check Point: 56 apps from the Google Play Store hide a new dangerous malware


Check Point experts have identified a new family of malware in the Google Play Store. It was installed in 56 Google Play Store apps that have been downloaded almost a million times by users worldwide. 24 apps among the damaged 56 are children's games, as well as utilities such as calculators, translators, cooking apps and others. As it is specified, applications emulate the behavior of a real user.

Tekya malware uses the MotionEvent mechanism in Android that simulates a click on an ad banner (first discovered in 2019) to simulate user actions and generate clicks.

Imitating the actions of a real person does not allow the program or a third-party observer to understand the presence of fraud. This helps hackers to attack online stores, make fraudulent ads, promote advertising, promote sites in search engine results, and also serve to carry out banking operations and other illegal actions.

During the research, Tekya went unnoticed by the VirusTotal and Google Play Protect programs.
Hackers created copies of official popular apps to attract an audience, mostly children since most apps with Tekya malware are children's games.

However, the good news is that all infected apps have already been removed from the Google Play.
This case shows that malicious app features can still be found in Google Play. Users have access to almost 3 million apps in the Google Play Store, and hundreds of new ones are downloaded daily, making it difficult to check the security of each individual app.

Although Google is taking steps to ensure security and prevent malicious activity on the Google Play Store, hackers are finding ways to access users' devices through the app store. So, in February, the Haken family of malware was installed on more than 50 thousand Android devices through various applications that initially seemed safe.

Stay Wary of Third-Party Apps: Malware App 'CovidLock' Locks User Out of their Phone


In an attempt to block misinformation from being spread by developers taking advantage of the COVID-19 charged environment, Google started prevention by blocking any search made for terms "COVID-19" and "coronavirus" on Google Play Store. It identified certain developers' malicious intent of exploiting user's concerns regarding the new coronavirus. As of now, Google's attempt to block searches has yielded positive results with the search for the aforementioned keywords returns no results at all on the Play Store.

Once you are out of the Play Store searching for the same, considering the installation of third-party apps, it becomes a matter of great concern as developers are embedding ransomware in apps named after the new coronavirus to delude uninformed users.

Recently, DomainTools, a Threat Intelligence company found an app known as "CovidLock" that is ransomware in the facade of 'coronavirus tracking app'. The app will appear to be a real-time tracker for the coronavirus but it will function as a malware that will lock the user out of his phone and ask for a ransom of $100 in bitcoin within a time period of 48 hours. If the affected user fails to provide the demanded ransom in the given time, he receives threats of his social media accounts being exposed online and the data stored onto his device being permanently deleted. It further notifies that his device is constantly monitored and in case he attempts to do anything stupid, everything will be automatically deleted.

However, a piece of good news is that the new mobile devices are secured against such attacks as Google has added defense against it. But in cases of users running versions older than Android Nougat, there are chances of their device being infected by this malware. To stay on a safer side, users are being advised to stick to the Google Play Store when downloading apps. Turning to unauthorized third-party sources invites great danger to user security especially at a time when our concerns and fears can be exploited and used against us.